Breaking Change T1159594
Visible to All Users

WPF "Object" properties: Changes made to deserialization mechanism

What Changed

To enhance overall security, we modified internal logic associated with type name processing (including, but not limited to our deserialization mechanism).
If the following properties utilize untrusted types, restore operations involving these APIs will generate security warnings:

Charts

  • DevExpress.Xpf.Charts.PieTotalLabel.Content
  • DevExpress.Xpf.Charts.AxisCoordinate.AxisValue
  • DevExpress.Xpf.Charts.Annotation.Content
  • DevExpress.Xpf.Charts.Range.MinValue
  • DevExpress.Xpf.Charts.Range.MaxValue
  • DevExpress.Xpf.Charts.ScaleBreak.Edge1
  • DevExpress.Xpf.Charts.ScaleBreak.Edge2
  • DevExpress.Xpf.Charts.FinancialIndicator.Argument1
  • DevExpress.Xpf.Charts.FinancialIndicator.Argument2
  • DevExpress.Xpf.Charts.Indicator.Legend
  • DevExpress.Xpf.Charts.NestedDonutSeries2D.Group
  • DevExpress.Xpf.Charts.ConstantLine.Value
  • DevExpress.Xpf.Charts.ConstantLine.Legend
  • DevExpress.Xpf.Charts.CustomAxisLabel.Value
  • DevExpress.Xpf.Charts.CustomAxisLabel.Content
  • DevExpress.Xpf.Charts.BarSideBySideFullStackedSeries2D.StackedGroup
  • DevExpress.Xpf.Charts.BarSideBySideStackedSeries2D.StackedGroup
  • DevExpress.Xpf.Charts.DataFilter.Value
  • DevExpress.Xpf.Charts.TitleBase.Content
  • DevExpress.Xpf.Charts.SeriesPoint.ToolTipHint
  • DevExpress.Xpf.Charts.Series.ToolTipHint
  • DevExpress.Xpf.Charts.Series.Legend
  • DevExpress.Xpf.Charts.Strip.MinLimit
  • DevExpress.Xpf.Charts.Strip.MaxLimit
  • DevExpress.Xpf.Charts.Strip.Legend
  • DevExpress.Xpf.Charts.AxisRange.MinValue
  • DevExpress.Xpf.Charts.AxisRange.MaxValue

Diagram Control

  • DevExpress.Xpf.Diagram.DiagramContentItem.Content

Dock and Layout Manager

  • DevExpress.Xpf.Docking.LabelItem.Content
  • DevExpress.Xpf.Docking.BaseLayoutItem.Caption
  • DevExpress.Xpf.Docking.BaseLayoutItem.TabCaption
  • DevExpress.Xpf.Docking.BaseLayoutItem.ToolTip

Layout Control

  • DevExpress.Xpf.LayoutControl.LayoutGroup.Header
  • DevExpress.Xpf.LayoutControl.LayoutItem.Label

Data Grid and Tree List

  • DevExpress.Xpf.Grid.ColumnBase.ColumnChooserHeaderCaption
  • DevExpress.Xpf.Grid.IndicatorFormatConditionBase.MinValue
  • DevExpress.Xpf.Grid.IndicatorFormatConditionBase.MaxValue
  • DevExpress.Xpf.Grid.FormatCondition.Value1
  • DevExpress.Xpf.Grid.FormatCondition.Value2
  • DevExpress.Xpf.Grid.BaseColumn.Header
  • DevExpress.Xpf.Grid.BaseColumn.HeaderToolTip
  • DevExpress.Xpf.Grid.DataViewBase.DetailHeaderContent
  • DevExpress.Xpf.Grid.DataViewBase.Header
  • DevExpress.Xpf.Grid.TreeListView.RootValue

Tree View

  • DevExpress.Xpf.Grid.TreeViewControl.RootValue

Pivot Grid

  • DevExpress.Xpf.PivotGrid.FormatCondition.Value1
  • DevExpress.Xpf.PivotGrid.FormatCondition.Value2
  • DevExpress.Xpf.PivotGrid.IndicatorFormatConditionBase.MinValue
  • DevExpress.Xpf.PivotGrid.IndicatorFormatConditionBase.MaxValue
  • DevExpress.Xpf.PivotGrid.PivotGridField.SummaryFilterStartValue
  • DevExpress.Xpf.PivotGrid.PivotGridField.SummaryFilterEndValue
  • DevExpress.Xpf.PivotGrid.SortByCondition.Value

Reasons for Change

This change enhances overall app security by detecting code that processes untrusted types.

Impact on an Existing App

If you utilize untrusted types, restore operations involving these APIs will generate security warnings.

How to Update an Existing App

Properties listed above are not deserialized if they include a custom type value. Deserialization for a custom type is only available for string values.

To deserialize custom types, specify a converter (via the IOneTypeObjectConverter interface) that converts a custom type to/from a string. This converter is invoked automatically whenever our deserialization mechanism encounters a registered custom type:

C#
using DevExpress.Utils.Serializing.Helpers; struct CustomType { public readonly int Value; public CustomType(int value) { this.Value = value; } } public class CustomTypeConverter : IOneTypeObjectConverter { public Type Type { get { return typeof(CustomType); } } public string ToString(object obj) { return ((CustomType)obj).Value.ToString("D"); } public object FromString(string str) { return new CustomType(int.Parse(str)); } } // Register the converter at application startup. ObjectConverter.Instance.RegisterConverter(new CustomTypeConverter());

How to Revert to Previous Behavior

The previous behavior is no longer available.

See Also

WinForms - System.Object type properties: Deserialization-related changes

Disclaimer: The information provided on DevExpress.com and affiliated web properties (including the DevExpress Support Center) is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.

Confidential Information: Developer Express Inc does not wish to receive, will not act to procure, nor will it solicit, confidential or proprietary materials and information from you through the DevExpress Support Center or its web properties. Any and all materials or information divulged during chats, email communications, online discussions, Support Center tickets, or made available to Developer Express Inc in any manner will be deemed NOT to be confidential by Developer Express Inc. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.